AD RMS Client Requirements

The Active Directory Rights Management Services (AD RMS) client is included with the Windows Vista®, Windows® 7, Windows Server® 2008, and Windows Server® 2008 R2 operating systems. If you are using Windows XP, Windows 2000, or Windows Server 2003 as your client operating system, a compatible version of the AD RMS client is available for download from the Microsoft Download Center Web site.

The AD RMS client can be used with the AD RMS server role included in Windows Server 2008 and Windows Server 2008 R2 or with previous versions of RMS running on Windows Server 2003.

The AD RMS client creates a machine certificate, which is used to identify the lockbox that stores the key pair for the current user. You can verify the presence of the AD RMS client on a computer by finding the msdrm.dll file on the computer. This file is protected by Windows Resource Protection in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 and cannot be modified except through official Microsoft updates.

Note

The lockbox contains the computer’s private key and is the core client-side security component for encryption and decryption. The machine certificate contains a corresponding public key for the computer. The lockbox is originally created when the client is activated. When the lockbox is loaded, it will perform its functions only if it determines that the client system has not been altered to a significant degree. For example, if the client’s clock has been moved backward or forward, the lockbox will fail to unlock protected content. If the client systems hardware has changed to any significant degree, the lockbox will also fail. In such cases, the lockbox will be marked damaged, and the client will have to reactivate the computer. For more information about lockboxes, see Lockboxes (http://go.microsoft.com/fwlink/?LinkId=153480) in the ADRMS SDK in the MSDN Library.

Applications can use the AD RMS client to incorporate rights management features. For example, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, and Windows Mobile 6 use the AD RMS client to support the information rights management features that provide rights management for documents, e-mails, spreadsheets, and slide presentations.

Beginning with Windows Vista and Windows Server 2008, the name of the AD RMS client has changed to Active Directory Rights Management Services (AD RMS) client and is integrated into the operating system so that a separate installation is not required. In earlier versions of Windows, the client is named Microsoft Windows Rights Management Services (RMS) client and is available from the Microsoft Download Center as a separate downloadable component. The RMS client can be installed on the Windows 2000, Windows XP, and Windows Server 2003 operating systems.

The AD RMS client requires little interaction from the client computer administrator. However, in more complex environments, it might be necessary to adjust the default AD RMS client configuration. A later section of this topic contains more information about configuration.

The RMS client supports three different architectures: x86, x64, and Itanium. The following table summarizes the client requirements depending on operating system and architecture.

Active Directory Rights Management Services (AD RMS) client service discovery is the method by which the AD RMS client discovers an AD RMS cluster. There are several ways in which this can occur:

Active Directory Domain Services (AD DS) service connection point (SCP) automatic service discovery. This is the recommended way to deploy an AD RMS environment. In this scenario, an SCP is created in the Active Directory forest where the AD RMS cluster is installed. When the AD RMS client attempts user activation on the computer, it queries the SCP to find the AD RMS cluster and download the rights account certificate (RAC). With automatic service discovery, no additional configuration is required on the AD RMS client.

The AD RMS client retrieves the service location URL from the issuance license and performs a SOAP request to the server, using the service location URL, to obtain the licensing URL. If the request fails, the client performs a SOAP request to obtain the certification URL. Subsequently, the certification URL is modified by replacing /certification with /licensing to retrieve the licensing URL.

AD RMS client registry overrides. In complex AD RMS deployment topologies, more specific control of the AD RMS client is required. For versions of the Rights Management Services (RMS) client running on Windows XP, Windows 2000, or Windows Server 2003, these overrides are required for topologies where multiple Active Directory forests are deployed. Another example of where client registry overrides can be used is to support extranet users. In these cases, client registry overrides are created on the AD RMS client to force either certification or licensing of rights-protected content from an AD RMS cluster that is different from the one published in the SCP. The AD RMS client registry overrides used to override the SCP are created in:

For x64 and Itanium-based clients: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\MSDRM\ServiceLocation.

The client registry override keys are the following:

Activation. This key is used to override the default AD RMS certification service that is configured in the SCP. The syntax for this key is http(s)://<your cluster>/_wmcs/certification where <your cluster> is the URL of the root cluster that should be used for certification.

EnterprisePublishing. This key is used to override the default AD RMS licensing service to which the AD RMS client connects. The syntax for this key is http(s)://<your cluster>/_wmcs/licensing where <your cluster> is the URL of the licensing-only cluster.

For x64 and IA64 Clients: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\MSDRM\Federation

When you use Active Directory Federation Services to allow access to protected documents from a trusted domain or forest, registry keys can set the federation home realm of the client computers in that forest. It must be set to the client’s home AD FS server FQDN and path in clients on the Accounts side of a federation trust.

Within this registry key create a registry entry named FederationHomeRealm of type REG_SZ. The value of this registry entry is the federation service URI.